[webkit-gtk] About the policy of (non) updating minimum build-dependencies

Michael Catanzaro mcatanzaro at igalia.com
Thu Jul 21 20:00:41 PDT 2016

On Thu, 2016-07-21 at 22:04 +0200, Carlos Alberto Lopez Perez wrote:
> Debian is already taking our updates: WebKitGTK+ 2.12 is available on
> the backports repository for stable.

This hardly counts. Users don't realize the only safe way to use WebKit
is to enable the backports repository.... I gave some comments on
Debian's policy at [1] (scroll down to the Debian heading) which is
good enough for me, as I'm not a Debian developer.

Regardless, you're right, I'm pretty sure your suggested policy is
better than mine. I would tweak it slightly:

 * We support each major Debian version until one year after the
release of the next major version.
 * We support each Ubuntu LTS until one year after the release of the
next Ubuntu LTS.

In practice, it means we don't depend on anything newer than about
three years old, whereas with your original proposal it would be about
two years. This makes it possible for distros to do security updates
for while longer. Sound good?

We can always consider extending this period in the future if a major
distro wants to provide security updates for longer than three years,
but it's a moot point right now.


[1] https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

More information about the webkit-gtk mailing list